From 49e60c9bba562b92112bc63ce63317a9017e6087 Mon Sep 17 00:00:00 2001 From: Markus Fritsche Date: Thu, 21 May 2026 14:40:52 +0200 Subject: [PATCH] Revert "Merge pull request 'kernel: claim src/dst at device_run, not at buf_done (fixes panic from #7)' (#8) from noether/kernel-claim-bufs-at-device-run into main" This reverts commit 6ffe92bcacccbf228c398a10c21a6818f07c67d2, reversing changes made to 79256dc7ef41f83873ca9c23db20f5888858e65d. --- kernel/daedalus_v4l2_main.c | 39 ++++--------------------------------- 1 file changed, 4 insertions(+), 35 deletions(-) diff --git a/kernel/daedalus_v4l2_main.c b/kernel/daedalus_v4l2_main.c index dce98e3..899600a 100644 --- a/kernel/daedalus_v4l2_main.c +++ b/kernel/daedalus_v4l2_main.c @@ -731,7 +731,6 @@ static void daedalus_device_run(void *priv) size_t blen, payload_len; u32 cookie; int ret; - bool claimed = false; /* src/dst removed from m2m rdy_queue */ src_buf = v4l2_m2m_next_src_buf(ctx->m2m_ctx); dst_buf = v4l2_m2m_next_dst_buf(ctx->m2m_ctx); @@ -857,28 +856,6 @@ static void daedalus_device_run(void *priv) inf = kzalloc(sizeof(*inf), GFP_KERNEL); if (!inf) goto fail_buf_error; - - /* - * Take both buffers off the m2m ready-queue HERE — before the - * inflight list grows. Once src_consumed releases the src side - * and the m2m scheduler can dispatch the next device_run, the - * NEW device_run mustn't see this dst_buf (which we're still - * holding for a future HAS_PIXELS). Without this claim, - * v4l2_m2m_next_dst_buf at the next device_run returns the same - * parked dst_buf, two inflight entries reference it, and the - * later HAS_PIXELS triggers a list_del on an already-removed - * vb2_buffer → kernel panic (observed on Pi CM5 hard reboot - * during mpv vaapi-copy playback of 720p H.264, 2026-05-21). - * - * Both helpers are inline list_del+counter-decrement under the - * q_ctx rdy_spinlock — safe to call from device_run on the - * buffer we just peeked via next_*_buf above. Mirrors the - * amphion vdec/venc pattern. - */ - v4l2_m2m_src_buf_remove_by_buf(ctx->m2m_ctx, src_buf); - v4l2_m2m_dst_buf_remove_by_buf(ctx->m2m_ctx, dst_buf); - claimed = true; - cookie = daedalus_next_cookie(); inf->cookie = cookie; inf->ctx = ctx; @@ -932,13 +909,11 @@ static void daedalus_device_run(void *priv) fail_buf_error: if (src_buf) { - if (!claimed) - v4l2_m2m_src_buf_remove(ctx->m2m_ctx); + v4l2_m2m_src_buf_remove(ctx->m2m_ctx); v4l2_m2m_buf_done(src_buf, VB2_BUF_STATE_ERROR); } if (dst_buf) { - if (!claimed) - v4l2_m2m_dst_buf_remove(ctx->m2m_ctx); + v4l2_m2m_dst_buf_remove(ctx->m2m_ctx); v4l2_m2m_buf_done(dst_buf, VB2_BUF_STATE_ERROR); } kfree(req); @@ -1099,13 +1074,7 @@ void daedalus_complete_resp_frame(u32 cookie, daedalus_pack_pixels_into_dst(dst_to_complete, fr, pixels, pixels_len); dst_to_complete->vb2_buf.timestamp = dst_timestamp; - /* - * The buffer was already removed from m2m's rdy_queue at - * device_run time (see the "Take both buffers off ..." - * block). Just call buf_done here — calling - * v4l2_m2m_dst_buf_remove_by_buf again would list_del a - * list_head that's no longer linked, smashing the list. - */ + v4l2_m2m_dst_buf_remove_by_buf(ctx->m2m_ctx, dst_to_complete); v4l2_m2m_buf_done(dst_to_complete, state); } @@ -1122,7 +1091,7 @@ void daedalus_complete_resp_frame(u32 cookie, if (src_to_complete) { if (req_to_complete) v4l2_ctrl_request_complete(req_to_complete, &ctx->hdl); - /* Already off the rdy_queue (see device_run claim) — buf_done only. */ + v4l2_m2m_src_buf_remove_by_buf(ctx->m2m_ctx, src_to_complete); v4l2_m2m_buf_done(src_to_complete, state); if (req_to_complete) media_request_put(req_to_complete);